Limited Time Discount Offer 20% Off - Ends in 0d 00h 00m 00s - Coupon code: 20good

CISA Certified Information Systems Auditor Questions and Answers

Questions 4

Due to the increasing size of a database, user access times and daily backups continue to increase. Which of the following would be the BEST way to address this situation?

Options:

A.

Data modeling

B.

Data purging

C.

Data visualization

D.

Data mining

Buy Now
Questions 5

Which of the following is the MOST important process to ensure planned IT system changes are completed in an efficient manner?

Options:

A.

Incident management

B.

Demand management

C.

Release management

D.

Configuration management

Buy Now
Questions 6

To develop a robust data security program, the FIRST course of action should be to:

Options:

A.

perform an inventory of assets.

B.

implement data loss prevention controls.

C.

interview IT senior management.

D.

implement monitoring, controls

Buy Now
Questions 7

An IS auditor reviewing the acquisition of new equipment would consider which of the following to be a significant weakness?

Options:

A.

Evaluation criteria when finalized after the initial assessment of responses

B.

Staff involved in the evaluation were aware of the vendors being evaluated.

C.

Independent consultants prepared the request for proposal (RFP) documents.

D.

The closing date for responses was extended after a request from potential vendors.

Buy Now
Questions 8

The risk that the IS auditor will not find an error that has occurred is identified by which of the following terms?

Options:

A.

Prevention

B.

Inherent

C.

Detection

D.

Control

Buy Now
Questions 9

Inherent risk rating are determined by assessing the impact and likelihood of a threat or vulnerability occurring:

Options:

A.

Before the risk appetite Is established

B.

After compensating have been applied

C.

After internal controls are taken into account.

D.

Before internal controls are taken into account.

Buy Now
Questions 10

An organization using instant messaging to communicate with customers prevent legitimate customers from being impersonated by:

Options:

A.

Authentication users before conversation are initiated.

B.

Using firewall to limit network traffic to authorized ports.

C.

Logging conversation.

D.

Using call monitoring.

Buy Now
Questions 11

A company laptop has been stolen and all photos on the laptop have been published on social media. Which of the following is the IS auditor's BEST course of action?

Options:

A.

Determine if the laptop had the appropriate level of encryption

B.

Verify the organization's incident reporting policy was followed

C.

Ensure that the appropriate authorities have been notified

D.

Review the photos to determine whether they were for business or personal purposes

Buy Now
Questions 12

When developing a risk-based IS audit plan, the PRIMARY focus should be on functions:

Options:

A.

with the most ineffective controls.

B.

with the greatest number of threats.

C.

considered critical to business operations.

D.

considered important by IT management

Buy Now
Questions 13

Which of the following protects against the impact of temporary and rapid decreases or increases in electricity?

Options:

A.

Emergency power-off switch

B.

Stand-by generator

C.

Redundant power supply

D.

Uninterruptible power supply (UPS)

Buy Now
Questions 14

Which of the following is an IS auditor s GREATEST concern when an organization does not regularly update software on individual workstations in the internal environment?

Options:

A.

The organization may be more susceptible to cyber-attacks.

B.

The organization may not be in compliance with licensing agreement.

C.

System functionality may not meet business requirements.

D.

The system may have version control issues.

Buy Now
Questions 15

An IS auditor has assessed a payroll service provider’s security policy and finds significant topics are missing. Which of the following is the auditor’s BEST course of action?

Options:

A.

Recommend the service provider update their policy

B.

Report the risk to internal management

C.

Notify the service provider of the discrepancies.

D.

Recommend replacement of the service provider

Buy Now
Questions 16

Which of the following is the BEST source of information when assessing the amount of time a project will take?

Options:

A.

Critical path analysis

B.

Workforce estimate

C.

GANT chart

D.

Scheduling budget

Buy Now
Questions 17

The MAJOR reason for segregating test programs from production programs is to:

Options:

A.

provide control over program changes

B.

limit access rights of IS staff to the development environment.

C.

provide the basis for efficient system change management

D.

achieve segregation of duties between IS staff and end users

Buy Now
Questions 18

Which of the following is the BEST way to facilitate proper follow-up for audit finding?

Options:

A.

Conduct a surprise audit to determine whether remediation is in progress

B.

Schedule a follow-up audit for two weeks after the initial audit was completed

C.

Conduct a follow-up audit when findings escalate to incidents

D.

Schedule a follow-up audit based on remediation due dates.

Buy Now
Questions 19

A disk management system’s PRIMARY function is to:

Options:

A.

Provide data on efficient disk usage.

B.

Deny access to disk resident data files.

C.

Monitor disk accesses for analytical review

D.

Provide the method of control for disk usage

Buy Now
Questions 20

Which of the following is the GREATEST benefit of implementing an IT governance strategy within an organization?

Options:

A.

IT projects are delivered on time and under budget

B.

Management is aware of IT-related risks.

C.

Employees understand roles and responsibilities

D.

Reporting and metrics become higher priority.

Buy Now
Questions 21

An IS auditor has found that an organization is unable to add new servers on demand in a cost-efficient manner Which of the following is the auditor s BEST recommendation?

Options:

A.

Upgrade hardware to newer technology.

B.

Increase the capacity of existing systems.

C.

Build a virtual environment

D.

Hire temporary contract workers for the IT function.

Buy Now
Questions 22

While performing a risk-based audit, which of the following would BEST enable an IS auditor to identify and category risk?

Options:

A.

Understanding the business environment

B.

Understanding the control framework

C.

Adopting qualitative risk analysis

D.

Developing a comprehensive risk model

Buy Now
Questions 23

Which of the following should be the MOST important consideration when establishing data classification standards?

Options:

A.

Reporting metrics are established.

B.

An education campaign is established upon rollout.

C.

The standards comply with relevant regulations.

D.

Management supports the newly developed standards

Buy Now
Questions 24

An organization is in the process of deciding whether to allow a bring your own device (BYOD) program. If approved, which of the following should be the FIRST control required before implementation?

Options:

A.

An accept able use policy

B.

Device registration

C.

Device baseline configurations

D.

An awareness program

Buy Now
Questions 25

Which of the following controls will MOST effectively detect inconsistent records resulting from the lack of referential integrity in a database management system?

Options:

A.

Concurrent access controls

B.

Incremental data backups

C.

Performance monitoring tools

D.

Periodic table link checks

Buy Now
Questions 26

An auditor is creating an audit program in which the objective is to establish the adequacy of personal data privacy controls in a payroll process. Which of the following would be MOST important to include?

Options:

A.

Approval of data changes

B.

User access provisioning

C.

Segregation of duties controls

D.

Audit logging of administrative user activity

Buy Now
Questions 27

To help ensure the accuracy and completeness of end-user computing output it is MOST important to include strong:

Options:

A.

documentation controls.

B.

change management controls.

C.

access management controls

D.

reconciliation controls

Buy Now
Questions 28

When conducting a follow-up audit on an organization s firewall configuration, the IS auditor discovered that the firewall had been integrated into a new system that provides both firewall and intrusion detection capabilities. The IS auditor should:

Options:

A.

review the compatibility of the new system with existing network controls

B.

consider the follow-up audit unnecessary since the firewall is no longer being used

C.

assess whether the integrated system addresses the identified risk

D.

evaluate whether current staff is able to support the new system

Buy Now
Questions 29

An organization has outsourced its data leakage monitoring to an Internet service provider (ISP). Which of the following is the BEST way for an IS auditor to determine the effectiveness of this service?

Options:

A.

Review the data leakage clause in the SLA.

B.

verify the ISP has staff to deal with data leakage.

C.

Simulate a data leakage incident.

D.

Review the ISP's external audit report

Buy Now
Questions 30

MOST effective way to determine if IT is meeting business requirements is to establish:

Options:

A.

a capability model.

B.

industry benchmarks

C.

key performance indicators (KPls).

D.

organizational goals.

Buy Now
Questions 31

Which of the following would be of MOST concern during an audit of an end-user computing system containing sensitive information?

Options:

A.

Audit logging is not available

B.

Secure authorization is not available

C.

System data is not protected.

D.

The system is not included in inventory.

Buy Now
Questions 32

A security regulation requires the disabling of direct administrator access. Such access must occur through an intermediate server that holds administrator passwords for all systems d records all actions. An IS auditor s PRIMARY concern with this solution would be that:

Options:

A.

it represents a single point of failure

B.

segregation of duties is not observed.

C.

it is not feasible to implement

D.

access logs may not be maintained

Buy Now
Questions 33

Which of the following should be of MOST concern to an IS auditor reviewing an organization’s disaster recovery plan (DRP)?

Options:

A.

Copies of the DRP are not kept in a secure offsite location.

B.

The CIO has not signed off on the DRP

C.

The disaster recovery steps are not detailed.

D.

The responsibility for declaring a disaster is not identified

Buy Now
Questions 34

Loss-site scripting (XSS) attacks are BEST prevented through:

Options:

A.

a three-tier web architecture.

B.

Secure coding practices

C.

application firewall policy settings

D.

use of common industry frameworks.

Buy Now
Questions 35

Which of the following a recent internal data breach, an IS auditor was asked to evaluate information security practices within the organization. Which of the following findings would be MOST important to report to senior management?

Options:

A.

Desktop passwords do not require special characters

B.

Employees are not required to sign a non-compete agreement.

C.

Users lack technical knowledge related to security and data protection

D.

Security education and awareness workshops have not been completed

Buy Now
Questions 36

An IS auditor should ensure that an application's audit trail:

Options:

A.

has adequate security.

B.

is accessible online.

C.

does not impact operational efficiency

D.

logs all database records.

Buy Now
Questions 37

.. Implementing which of the following would BEST address issues relating to the aging of IT systems?

Options:

A.

IT project management

B.

Configuration management

C.

Application portfolio management

D.

Release management

Buy Now
Questions 38

An organization uses electronic funds transfer (EFT) to pay its vendors. Which of the following should be an IS auditor s MAIN focus while reviewing controls in the accounts payable Application?

Options:

A.

Amount of disbursements

B.

Volume of transactions

C.

Changes to the vendor master file

D.

Frequency of transactions

Buy Now
Questions 39

Which of the following observations noted during a review of the organization s social media practices should be of MOST concern to the IS auditor?

Options:

A.

The organization does not require approval for social media posts.

B.

Not all employees using social media have attended the security awareness program.

C.

The organization does not have a documented social media policy.

D.

More than one employee is authorized to publish on social media on behalf of the organization

Buy Now
Questions 40

An organization has established three IS processing environments: development, test, and production. The MAJOR reason for separating the development and test environments is

Options:

A.

perform testing in a stable environment

B.

obtain segregation of duties between IS staff and end users.

C.

limit the users access rights to the test environment

D.

protect the programs under development from unauthorized testing

Buy Now
Questions 41

An IS auditor is involved in the user testing phase of a development project. The developers wish to use a copy of a peak volume transaction file from the production process to should that the development can cope with the required volume What is the auditor s PRIMARY concern?

Options:

A.

Users may not wish for production data to be made available for testing.

B.

All functionality of the new process may not be tested.

C.

Sensitive production data may be read by unauthorized persons.

D.

The error-handling and credibility checks may not be fully proven

Buy Now
Questions 42

Which of the following is BEST addressed when using a timestamp within a digital signature to deliver sensitive financial information?

Options:

A.

Authentication

B.

Nonrepudiation

C.

Data integrity

D.

Replay protection

Buy Now
Questions 43

Which of the following is a reason for implementing a decentralized IT governance model?

Options:

A.

Standardized controls and economies of scale

B.

Greater consistency among business units

C.

Greater responsiveness to business needs

D.

IT synergy among business units

Buy Now
Questions 44

Which of the following should the IS auditor do FIRST to ensure data transfer integrity for Internet of Things (loT) devices?

Options:

A.

Verify access control lists to the database where collected data is stored.

B.

Determine how devices are connected to the local network.

C.

Confirm that acceptable limits of data bandwidth are defined for each device.

D.

Ensure that message queue telemetry transport (MQTT) is used.

Buy Now
Questions 45

Which of the following data would be used when performing a business impact analysis (BIA)?

Options:

A.

Cost benefit analysis of running the current business

B.

Projected impact of current business on future business

C.

Expected costs for recovering the business

D.

Cost of regulatory compliance

Buy Now
Questions 46

Requiring that passwords contain a combination of numeric and alphabetic characters is MOST effective against which type of attack?

Options:

A.

Dictionary

B.

Denial of service

C.

Social engineering

D.

Programmed

Buy Now
Questions 47

Which of the following should be an IS auditor's FIRST activity when planning an audit?

Options:

A.

Identify proper resources for audit activities.

B.

Gain an understanding of the area to be audited.

C.

Create a list of key controls to be reviewed.

D.

Document specific questions in the audit program

Buy Now
Questions 48

While executing follow-up activities, an IS auditor is concerned that management has implemented corrective actions that are different from those originally discussed and agreed the audit function. In order to resolve the situation, the IS auditor/, BEST course of action would be to:

Options:

A.

postpone follow-up activities and escalate the alternative controls to senior audit management

B.

schedule another audit due to the implementation of alternative controls.

C.

reject the alternative controls and re-prioritize the original issue as high risk.

D.

determine whether the alternative controls sufficiently mitigate the risk and record the results

Buy Now
Questions 49

During the implementation of an upgraded enterprise resource planning (ERP) system, which of the following is the MOST important consideration foe a go-live decision?

Options:

A.

Post-implementation review objectives

B.

Test cases

C.

Rollback strategy

D.

Business case

Buy Now
Questions 50

During the procurement process which of the following would be the BEST indication that prospective vendors will meet the organization's needs?

Options:

A.

service catalog is documented.

B.

An account transition manager has been identified.

C.

Expected service levels are defined

D.

The vendor's subcontractors have been identified

Buy Now
Questions 51

An IS auditor is evaluating the log management system for an organization with devices and systems in multiple geographic locations. Which of the following is MOST important for e auditor to verify?

Options:

A.

Log files w concurrently updated

B.

Log files are encrypted and digitally signed.

C.

Log files are reviewed in multiple locations.

D.

Log files of the servers are synchronized.

Buy Now
Questions 52

During a review of an insurance company s claims system, the IS auditor learns that claims for specific medical procedures are acceptable only from females This is an example of a:

Options:

A.

logical relationship check

B.

key verification.

C.

completeness check.

D.

reasonableness check

Buy Now
Questions 53

An organization has agreed to perform remediation related to high-risk audit findings. The remediation process involves a complex reorganization of user roles as well as the Implementation of several compensating controls that may not be completed within the next audit cycle Which of the following is the BEST way for an IS auditor to follow up on their activities?

Options:

A.

Provide management with a remediation timeline and verity adherence

B.

Schedule a review of the controls after the projected remediation date

C.

Review the progress of remediation on a regular basis

D.

Continue to audit the failed controls according to the audit schedule

Buy Now
Questions 54

Which of the following should be of GREATEST concern to an IS auditor reviewing the controls for a continuous software release process?

Options:

A.

Release documentation is not updated to reflect successful deployment

B.

Testing documentation is not attached to production releases.

C.

Developers are able to approve their own releases

D.

Test libraries have not been reviewed in over six months

Buy Now
Questions 55

maturity model is useful in the assessment of IT service management because it:

Options:

A.

defines the level of control required to meet business needs

B.

provides a benchmark for process improvement

C.

specifies the mechanism needed to achieve defined service levels

D.

indicates the service levels requited for the business area.

Buy Now
Questions 56

Both statistical and nonstatistical sampling techniques:

Options:

A.

permit the auditor to quantify and fix the level of risk

B.

permit the auditor to quantity the probability of error,

C.

provide each item an equal opportunity of being selected,

D.

require judgment when defining population characteristics

Buy Now
Questions 57

An IS auditor notes that the anticipated benefits from an ongoing infrastructure projects have changed due to recent organizational restructuring. Which of the following is the IS auditor’s BEST recommendation?

Options:

A.

Review and reapprove the business case

B.

Review business goals and objectives

C.

Conduct a new feasibility study

D.

Review and update the business impact analysis (BIA)

Buy Now
Questions 58

To create a digital signature in a message using asymmetric encryption, it is necessary to:

Options:

A.

First use a symmetric algorithm for the authentication sequence.

B.

encrypt the authentication sequence using a public key.

C.

transmit the actual digital signature in unencrypted clear text.

D.

encrypt the authentication sequence using a private key.

Buy Now
Questions 59

Which of the following would be the GREATEST concern when an organization’s disaster recovery strategy utilizes a cold site?

Options:

A.

The lack of hardware components availability

B.

The lack of electrical power connections

C.

The lack of appropriate environmental controls

D.

The lack of networking infrastructure

Buy Now
Questions 60

An organization considers implementing a system that uses a technology that is not in line with the organization’s IT strategy. Which of the following is the BEST justification for deviating from the IT strategy?

Options:

A.

The system makes use of state-of-the-art technology

B.

The organization has staff familiar with the technology

C.

The system has a reduced cost of ownership

D.

The business benefits are achieved even with extra costs

Buy Now
Questions 61

Which of the following is the MOST effective way to identify anomalous transactions when performing a payroll fraud audit?

Options:

A.

Substantive testing of payroll files

B.

Data analytics on payroll data

C.

Observation of payment processing

D.

Sample-based review of pay stubs

Buy Now
Questions 62

An IS auditor is conducting a pre-implementation review to determine a new system's production readiness. The auditor's PRIMARY concern should be whether:

Options:

A.

benefits realization has been evidenced

B.

there are unresolved high-risk items

C.

the project adhered to the budget and target date.

D.

users were involved in the quality assurance (QA) testing.

Buy Now
Questions 63

An organization allows its employees to use personal mobile devices for work. Which of the following would BEST maintain information security without compromising employee privacy?

Options:

A.

Installing security software on the devices

B.

Restricting the use of devices for personal purposes during working hours

C.

Partitioning the work environment from personal space on devices

D.

Preventing users from adding applications

Buy Now
Questions 64

Which of the following » the MOST important prerequisite for Implementing a data loss prevention (DLP) tool?

Options:

A.

Developing a DLP policy and requiring signed acknowledgement by users.

B.

Requiring users to save files in secured folders instead of company-wide shared drive

C.

Identifying where existing data resides and establishing a data classification matrix.

D.

Reviewing data transfer logs to determine historical patterns of data flow

Buy Now
Questions 65

An organization has performance metrics to track how well IT resources are being used, but there has been little progress on meeting the organization's goals. Which of the following would be MOST helpful to determine the underlying reason?

Options:

A.

Conducting a root cause analysis

B.

Re-evaluating organizational goals

C.

Re-evaluating key performance indicators (KPls)

D.

Conducting a business impact analysis (BIA)

Buy Now
Questions 66

An IS auditor is assigned to review the development of a specific application. Which of the following would be the MOST significant step following the feasibility study?

Options:

A.

Attend project progress meetings to monitor timely implementation of the application.

B.

Assist users in the design of proper acceptance-testing procedures.

C.

Follow up with project sponsor for project's budgets and actual costs.

D.

Review functional design to determine that appropriate controls are planned.

Buy Now
Questions 67

IS audit is asked 10 explain how local area network (LAN) servers can contribute to a rapid dissemination of viruses. The IS auditor's BEST response is that:

Options:

A.

the server's software is the prime target and is the first to be infected

B.

the server's operating system exchanges data with each station starting at every log-on.

C.

the server's file sharing function facilitates the distribution of files and applications.

D.

users of a given server have similar usage of applications and files.

Buy Now
Questions 68

The demilitarized zone (DMZ) is the part of a network where servers that are placed are:

Options:

A.

Running-mission critical, non-web application

B.

Interacting with the public internet

C.

Running internal department applications

D.

External to the organization

Buy Now
Questions 69

Which of the following should be of GREATEST concern to an IS auditor when auditing an organization’s information security awareness

Options:

A.

Training quizzes are designed and run by a third party company under a contract with the organization

B.

The number of security incidents logged by employees to the help desk has increased in the past year

C.

Security awareness training is run via the organization’s enterprise wide e-learning portal

D.

Security awareness training is not included as part of the on boarding process for new hires

Buy Now
Questions 70

During a review of an organization’s network threat response process. The IS auditor noticed that the majority of alerts were closed without resolution. Management responded that those alerts were unworkable due to lack of actionable intelligence, and therefore the support team is allowed to close them. What is the best way for the auditor to address the situation?

Options:

A.

Further review closed unactioned alerts to identify mishandling of threats

B.

Omit the finding from the report as this practice is in compliance with the current policy

C.

Recommend that management enhance the policy and improve threat awareness training

D.

Reopen unactioned alerts and report to the audit committee

Buy Now
Questions 71

Which of the following BEST ensures that only authorized software is moved into a production environment?

Options:

A.

Restricting read/write access to production code to computer programmers only

B.

Assigning programming managers to transfer tested programs to production

C.

A librarian compiling source code into production after independent testing

D.

Requiring programming staff to move tested code into production

Buy Now
Questions 72

Which of the following is the PRIMARY reason for an IS auditor to use computer-assisted audit techniques (CAATs)?

Options:

A.

To efficiently test an entire population

B.

To perform direct testing of production data

C.

To conduct automated sampling for testing

D.

To enable quicker access to information

Buy Now
Questions 73

Which of the following is the MOST critical characteristic of a biometric system?

Options:

A.

Registration time

B.

Throughput rate

C.

Accuracy

D.

Ease of use

Buy Now
Questions 74

Which of the following factors will BEST promote effective information security management?

Options:

A.

Senior management commitment

B.

Identification and risk assessment of sensitive resources

C.

Security awareness training

D.

Security policy framework

Buy Now
Questions 75

What is the purpose of a hypervisor?

Options:

A.

Monitoring the performance of virtual machines

B.

Cloning virtual machines

C.

Deploying settings to multiple machines simultaneously

D.

Running the virtual machine environment

Buy Now
Questions 76

Which of the following methods should be used to purge confidential data from write-once optical media?

Options:

A.

Degauss the media.

B.

Destroy the media.

C.

Remove the references to data from the access index.

D.

Write over the data with null values.

Buy Now
Questions 77

Which of the following should be reviewed as part of a data integrity test?

Options:

A.

Confidentiality

B.

Data backup

C.

Redundancy

D.

Completeness

Buy Now
Questions 78

A user of a telephone banking system has forgotten his personal identification number (PIN), after the user has been authenticated, the BEST method of issuing a new pin is to have:

Options:

A.

A randomly generated pin communicated by banking personnel

B.

Banking personnel assign the user a new PIN via email

C.

The user enter a new PIN twice

D.

Banking personnel verbally assign a new PIN

Buy Now
Questions 79

What is an IS auditor’s BEST recommendation for management if a network vulnerability assessment confirms that critical patches have not been applied since the last assessment?

Options:

A.

Implement a process to test and apply appropriate patches

B.

Apply available patches and continue periodic monitoring

C.

Configure servers to automatically apply available patches

D.

Remove unpatched devices from the network

Buy Now
Questions 80

Which of the following should MOST concern an IS auditor reviewing an intrusion detection system (IDS)?

Options:

A.

Number of false negatives

B.

Legitimate traffic blocked by the system

C.

Number of false positives

D.

Reliability of IDS logs

Buy Now
Questions 81

A security administrator should have read-only access for which of the following?

Options:

A.

Router configuration

B.

Password policy

C.

Security logs

D.

Services/daemons configuration

Buy Now
Questions 82

Which of the following is the GREATEST concern with conducting penetration testing on an internally developed application in the production environment?

Options:

A.

The testing could create application availability issues.

B.

The testing may identify only known operating system vulnerabilities.

C.

The issues identified during the testing may require significant remediation efforts.

D.

Internal security staff may not be qualified to conduct application penetration testing.

Buy Now
Exam Code: CISA
Exam Name: Certified Information Systems Auditor
Last Update: Aug 12, 2020
Questions: 1040

PDF + Testing Engine

$199.2  $249

Testing Engine

$180  $225

PDF (Q&A)

$159.2  $199